Syslog message formats

The default message format for messages sent by the agent is a simplified basic syslog message that contains the facility and severity code, followed by an optional message prefix, and then the content of the event log message in a reduced format (wherein the message content has no extra spaces and tabs from the message content).

The MessageFormat directive can modify this default message format. If this directive is in the configuration file, the directive can take on the value of default (that is the default format described in the preceding line), as well as RFC (or RFC3164), LEEF, or CEF. These directives change the message content as follows: 

• RFC (or RFC3164)—This applies a standard message header containing the date and time that a message was generated, as detected from the Windows event log, followed by the hostname, followed by the message content. This is the format prescribed in RFC3164, section 4.1.2. The value can be either RFC or RFC3164 (both values are precisely equivalent).

• LEEF—This reformats the message to use QRadar LEEF format, compliant with IBM specifications. This format works with LEEF compatible systems but is less easily read and parsed by humans. 

• CEF—This reformats the message to use ArcSight CEF format, compliant with HP specifications. In particular, the event signature portion of the CEF message is consistently derived from the message content and contains the Windows event identifier. This format works with CEF compatible systems but is even harder for humans to parse. 

You must not include the MessageFormat directive in the configuration file, in the absence of any other requirements. You must use the standard format described at the start of this section. This facilitates interoperability with other programs and permits easier configuration and inspection of syslog content, of the BMC Defender Server system.